About allowing cross-domain data loading

最新推荐文章于 2022-12-06 08:58:23 发布
最新推荐文章于 2022-12-06 08:58:23 发布
阅读量874 收藏
点赞数
分类专栏: 学习杂记 文章标签: domain wildcard file server flash access

About allowing cross-domain data loading

A Flash document can load data from an external source by using one of the following data loading calls: XML.load(), XML.sendAndLoad(), LoadVars.load(), LoadVars.sendAndLoad(), loadVariables(), loadVariablesNum(). Also, a SWF file can import runtime shared libraries, or assets defined in another SWF file, at runtime. By default, the data or SWF media, in the case of runtime shared libraries, must reside in the same domain as the SWF that is loading that external data or media.

To make data and assets in runtime shared libraries available to SWF files in different domains, use a cross-domain policy file. A cross-domain policy file is an XML file that provides a way for the server to indicate that its data and documents are available to SWF files served from certain domains, or from all domains. Any SWF file that is served from a domain specified by the server's policy file will be permitted to access data or assets from that server.

When a Flash document attempts to access data from another domain, Flash Player automatically attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible.

Policy files must be named crossdomain.xml and reside at the root directory of the server that is serving the data. Policy files function only on servers that communicate over HTTP, HTTPS, or FTP. The policy file is specific to the port and protocol of the server where it resides.

For example, a policy file located at https://www.macromedia.com:8080/crossdomain.xml will apply only to data loading calls made to www.macromedia.com over HTTPS at port 8080.

An exception to this rule is the use of an XMLSocket object to connect to a socket server in another domain. In that case, an HTTP server running on port 80 in the same domain as the socket server must provide the policy file for the method call.

An XML policy file contains a single <cross-domain-policy> tag, which in turn contains zero or more <allow-access-from> tags. Each <allow-access-from> tag contains one attribute, domain, which specifies either an exact IP address, an exact domain, or a wildcard domain (any domain). Wildcard domains are indicated by either a single asterisk (*), which matches all domains and all IP addresses, or an asterisk followed by a suffix, which matches only those domains that end with the specified suffix. Suffixes must begin with a dot. However, wildcard domains with suffixes can match domains that consist of only the suffix without the leading dot. For example, foo.com is considered to be part of *.foo.com. Wildcards are not allowed in IP domain specifications.

If you specify an IP address, access will be granted only to SWF files loaded from that IP address using IP syntax (for example, http://65.57.83.12/flashmovie.swf), not those loaded using domain-name syntax. Flash Player does not perform DNS resolution.

Here is an example policy file that permits access to Flash documents that originate from foo.com, friendOfFoo.com, *.foo.com, and 105.216.0.40, from a Flash document on foo.com:

<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
  <allow-access-from domain="www.friendOfFoo.com" />
  <allow-access-from domain="*.foo.com" />
  <allow-access-from domain="105.216.0.40" />
</cross-domain-policy>

A policy file that contains no <allow-access-from> tags has the same effect as not having a policy on a server. 

hotwj
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Force MS Yahei Font Allowing Exceptions-crx插件
04-03
语言:English (United States) 对所有网站使用MS Yahei字体,但用户可以定义例外。 此Chrome插件可让您对所有允许例外的网站强制使用Microsoft Yahei字体。 用户可以在“选项”中定义这些例外。
Data Science with SQL Server
04-10
Services combines these environments, allowing direct interaction between the data on the RDBMS and the R language, all while preserving the security and safety the RDBMS contains. In this book, you’...
CORS与Cross-Domain(跨域)问题的分析和解决方案!
weixin_33871366的博客
06-01 2175
为什么80%的码农都做不了架构师?>>> ...
跨域推荐(Cross-Domain Recommendation)的最新综述
m0_57656758的博客
12-05 3531
论文解读系列第十六篇:IJCAI 2021--跨域推荐(Cross-Domain Recommendation)的最新综述 - 知乎目录1.背景介绍(1)内容层级相关性(content-level relevance)(2)用户层级相关性(user-level relevance)(3)产品层级相关性(item-level relevance)2.综述的动机3. 不同的跨域推荐场景以及挑战场景1. 单目标跨域推荐(single-target CDR)场景2. 多领域推荐(Multi-Domain Recom
浅析跨域资源共享协议相关安全问题(下)
Askshhbs的博客
04-22 608
在上一篇文章中,我主要描述了,CORS是什么,CORS的工作流程,CORS漏洞产生的背景以及CORS漏洞产生的原因,在本篇中,我主要来讲述,如何挖掘CORS漏洞,如何利用CORS漏洞,以及如何修复CORS漏洞或者说避免产生CORS漏洞。 一、如何挖掘CORS漏洞? 方式一:curl命令 curl http://victim.com/user/userinfo.php -H "Origin:https://hacker.com/" -I 如果相应包中出现下面这种组合,则说明存在CORS漏洞 .
小样本学习跨域(Cross-Domain)问题总结
m0_57656758的博客
12-06 1920
https://arxiv.org/abs/2001.08735 小样本学习跨域(Cross-domain)问题总结 - 知乎目录零·研究现状一:A CLOSER LOOK AT FEW-SHOT CLASSIFICATION实验介绍:实验设置: 实验结果:结果表明:二:A Broader Study of Cross-Domain Few-Shot Learning元学习模型测试结果:迁移学习测试结果: 结果表明:三:FEW-SHOT ACOUSTIC EVENT DETECTION VIA META L
web攻击方式 介绍
han_code的博客
05-12 1582
对于互联网上的攻击,让很多IT从业者叫苦不迭,时常一个漏洞会引发其他漏洞,导致本来看起来很小的一个失误,会引发极其严重的后果。本文旨在帮助自己和一些想了解互联网web安全防护领域的人,对常用的一些攻击方式有大概的了解,提醒自己要注意尽量规避这些错误。本文只是简单介绍一些攻击方式,并未提供原理和解决方案,后续会继续更新一些攻击的更详细介绍和解决方案,希望大家批评指正。 本文主要素材来源 CTF ...
Spartan-3AN FPGA Family Data Sheet.pdf
01-14
Spartan-3AN FPGA Family Data Sheet Introduction The Spartan®-3AN FPGA family combines the best attributes of a leading edge, low cost FPGA with nonvolatile technology across a broad range of ...
C# 7 and .NET Core: Modern Cross-Platform Development - Second Edition
10-14
about allowing multiple actions to occur at the same time to improve performance, scalability, and user productivity. Chapter 13, Building Universal Windows Platform Apps Using XAML, is about learning...
Android代码-水漫效果的 loading 动画
08-06
This is an Android project allowing to realize a beautiful circular fillable loaders to be used for splashscreen for example. USAGE To make a circular fillable loaders add CircularFillableLoaders ...
Cross-domain 相关问题解决办法
zhangt85的专栏
08-14 1304
跨域访问,结果返回无法获取问题  js发起http请求(通过ajax),发现无法获取返回结果,报错:XMLHttpRequest can not load..... 解决办法:   数据返回格式:jsonp   同时设置response的header: response().setHeader("Access-Control-Allow-Origin", "*");
跨域策略文件crossdomain.xml的配置方法
热门推荐
蝈蝈的博客
12-06 4万+
一、crossdomain.xml文件的作用    跨域,顾名思义就是需要的资源不在自己的域服务器上,需要访问其他域服务器。跨域策略文件是一个xml文档文件,主要是为web客户端(如Adobe Flash Player等)设置跨域处理数据的权限。打个比方说,公司A部门有一台公共的电脑,里面存放着一些资料文件,专门供A部门内成员自己使用,这样,A部门内的员工就可以访问该电脑,其他部门人员则不允许访问。
Cross-domain policy和/WEB-INF/flex/proxy-config.xml
douzi24的专栏
06-14 1327
flash 7开始,不同域名的资源访问受到限制,比如a.com上有一个movie浏览器要浏览b.com中的movie资源,就需要在b.com的根目录下有一个crossdomain.xml以允许a.com的访问,内容大致为   如果没有权限在b.com的根目录下放置文件也可以设置HTTPSer
OWASP 2017 TOP 10
weixin_33972649的博客
11-12 133
And how BIG-IP ASM mitigates the vulnerabilities. Vulnerability BIG-IP ASM Controls A1 Injection Flaws Attack signatures Meta character restrictions Parameter val...
论文阅读2018:We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS
一只咸鱼的小努力
03-06 492
We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS作者介绍相关知识CORSSame Origin Policy跨源发送的风险Cross Site Request Forgery (CSRF)HFPA摘要研究动机发现的问题贡献论文结构实验部分model实验方法实验总结Crafting Request...
CTF之web安全
weixin_45722313的博客
04-02 9782
web安全 CSRF 简介 CSRF,全名 Cross Site Request Forgery,跨站请求伪造。很容易将它与 XSS 混淆,对于 CSRF,其两个关键点是跨站点的请求与请求的伪造,由于目标站无 token 或 referer 防御,导致用户的敏感操作的每一个参数都可以被攻击者获知,攻击者即可以伪造一个完全一样的请求以用户的身份达到恶意目的。 CSRF 类型 按请求类型,可分为 GE...
四年300个攻击技术总结(2006-2009)
blogfeifei
03-17 273
(2006:1-65 | 2007:66-148 | 2008:149-218 | 2009:219-300) 300种思路,300个变通思维。部分文章需看。1.The Attack of the TINY URLs2.Backdooring MP3 Files3.Backdooring QuickTime Movies4.CSS history hacking with evil marketi...
网络知识扫盲
weixin_34416649的博客
05-29 135
SQL 注入 通过在用户可控参数中注入 SQL 语法,破坏原有 SQL 结构,达到编写程序时意料之外结果的攻击行为。其成因可以归结为以下两个原因叠加造成的: 1. 程序编写者在处理应用程序和数据库交互时,使用字符串拼接的方式构造 SQL 语句 2. 未对用户可控参数进行足够的过滤便将参数内容拼接进入到 SQL 语句中 XSS 跨站脚本攻击 跨站脚本攻击(Cross Site Script...
weblogic两个域的跨域信任(Enable Cross Domain Security between domains)
会写代码的大叔
12-10 398
Enable Cross Domain Security between domains Before you begin Read Enabling Cross Domain Security Between WebLogic Domains Cross Domain Security establishes trust between two WebLogic Serv...
strict-origin-when-cross-origin
最新发布
03-28
The "strict-origin-when-cross-origin" is a value of the "Referrer-Policy" HTTP header that controls how much information about the origin of a request is included in the "Referer" header when navigating from one website to another. This value is a compromise between security and functionality, and it instructs the browser to send a full URL in the "Referer" header only when navigating within the same origin, but to send only the origin (scheme, host, and port) when navigating to a different origin. This helps prevent sensitive information from being leaked to third-party websites, while still allowing legitimate functionality such as analytics and cross-origin requests to function properly. Overall, using the "strict-origin-when-cross-origin" value helps protect user privacy and security while minimizing the impact on website functionality.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值